General

  • Target

    QUOTE B1018530.doc

  • Size

    210KB

  • Sample

    211022-jtt88scbgj

  • MD5

    0d1e47f9c9e97439af102247df16e32f

  • SHA1

    e6c179251a9ced22d13c32d8f3e7bc148347bbf1

  • SHA256

    5e719cefe52f3351eeb10b2aa74d5454493bd1365ca8258867ffa2affe8a17b3

  • SHA512

    4fb9412ded80376d952254fb00bca9e3faae3a9ab5d8d0ae402c2a57546bd8c6569245fb79506cb210ea9c2c3d5d1bf6b8c836261f7384142341a269268d183c

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mxwf

C2

http://www.zahnimplantatangebotede.com/mxwf/

Decoy

orders-cialis.info

auctionorbuy.com

meanmugsamore.com

yachtcrewmark.com

sacredkashilifestudio.net

themintyard.com

bragafoods.com

sierp.com

hausofdeme.com

anthonyjames915.com

bajardepesoencasa.com

marciaroyal.com

earringlifter.com

dsdjfhd9ddksa1as.info

bmzproekt.com

employmentbc.com

ptsdtreatment.space

vrchance.com

cnrongding.com

welovelit.com

Targets

    • Target

      QUOTE B1018530.doc

    • Size

      210KB

    • MD5

      0d1e47f9c9e97439af102247df16e32f

    • SHA1

      e6c179251a9ced22d13c32d8f3e7bc148347bbf1

    • SHA256

      5e719cefe52f3351eeb10b2aa74d5454493bd1365ca8258867ffa2affe8a17b3

    • SHA512

      4fb9412ded80376d952254fb00bca9e3faae3a9ab5d8d0ae402c2a57546bd8c6569245fb79506cb210ea9c2c3d5d1bf6b8c836261f7384142341a269268d183c

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Formbook Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Exploitation for Client Execution

1
T1203

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks